ci: Update github actions

Signed-off-by: Schubert Anselme <[email protected]>

.github/workflows/cicd.yml

@@ -16,17 +16,57 @@ jobs:
       issues: write
       pull-requests: write
       repository-projects: write
-
-  sonarqube:
-    uses: ./.github/workflows/sonarqube.yml
-  trivy:
-    uses: ./.github/workflows/trivy.yml
   # devos:
   #   uses: ./.github/workflows/devos.yml
-
-  scorecard:
-    uses: ./.github/workflows/scorecard.yml
+  trivy:
+    uses: ./.github/workflows/trivy.yml
     permissions:
       contents: write
       id-token: write
       security-events: write
+  # scorecard:
+  #   uses: ./.github/workflows/scorecard.yml
+  #   permissions:
+  #     id-token: write
+  #     security-events: write
+  # sonarqube:
+  #   uses: ./.github/workflows/sonarqube.yml
+  scorecard:
+    name: Scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+        with:
+          sarif_file: results.sarif

.github/workflows/scorecard.yml

@@ -11,7 +11,6 @@ on:
         description: Whether to publish results to OpenSSF REST API
 
 permissions:
-  contents: write
   id-token: write
   security-events: write
 

.github/workflows/sonarqube.yml

@@ -1,19 +1,13 @@
 name: SonarQube
 
 on:
-  workflow_call:
-    inputs:
-      sonarqube:
-        type: boolean
-        default: false
-        description: Run SonarQube Quality Gate
+  - workflow_call
 
 permissions: read-all
 
 jobs:
   sonarqube:
     runs-on: ubuntu-latest
-    if: ${{ inputs.sonarqube }}
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
@@ -24,5 +18,5 @@ jobs:
         uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496
         timeout-minutes: 5
         env:
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/trivy.yml

@@ -3,7 +3,10 @@ name: Trivy
 on:
   - workflow_call
 
-permissions: read-all
+permissions:
+  contents: write
+  id-token: write
+  security-events: write
 
 jobs:
   trivy: